70-294: mcse guide to microsoft windows server 2003 active directory, enhanced chapter 11: group...
TRANSCRIPT
![Page 1: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/1.jpg)
70-294: MCSE Guide to Microsoft Windows Server 2003 Active
Directory, Enhanced
Chapter 11: Group Policy for Corporate
Policy
![Page 2: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/2.jpg)
Guide to MCSE 70-294, Enhanced 2
Objectives
• Understand and describe the purpose of Group Policy
• Describe how Group Policy is applied• Manage desktop computers using Group Policy• Analyze and configure security settings using
Group Policy
![Page 3: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/3.jpg)
Guide to MCSE 70-294, Enhanced 3
Objectives (continued)
• Install and use the Group Policy Management Console
• Troubleshoot Group Policy
![Page 4: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/4.jpg)
Guide to MCSE 70-294, Enhanced 4
Group Policy
• Introduced in Windows 2000 • Enhanced in:
• Windows XP
• Windows Server 2003
• Largely collection of registry entries• Enhancements in Windows Server 2003:
• Transient policy settings
• Expanded capabilities
![Page 5: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/5.jpg)
Guide to MCSE 70-294, Enhanced 5
Administrative Templates• Files with .adm extension• Describe registry settings
• Can be configured in policy or Group Policy
• Included with Windows Server 2003:• System.adm
• Inetres.adm
• Wmplayer.adm
• Conf.adm
• Wuau.adm
![Page 6: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/6.jpg)
Guide to MCSE 70-294, Enhanced 6
Client-side Extensions
• Allow for more advanced control and configuration
• Included with Windows Server 2003 and Windows XP:• EFS (encrypting file system) recovery
• Folder redirection
• Internet Explorer maintenance
• IP security
![Page 7: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/7.jpg)
Guide to MCSE 70-294, Enhanced 7
Client-side Extensions (continued)
• Included with Windows Server 2003 and Windows XP:• Microsoft Disk Quota
• QoS Packet Scheduler
• Scripts
• Security
• Software installation
• Wireless
![Page 8: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/8.jpg)
Guide to MCSE 70-294, Enhanced 8
Group Policy Storage
• Stored on • Domain controllers
• Local computers
• Local policy object • Stored in hidden folder
• Referred to as local computer policy
• Applies only to local computer
• Great for workgroup environment
![Page 9: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/9.jpg)
Guide to MCSE 70-294, Enhanced 9
Group Policy Storage (continued)
• GPOs • Stored on domain controllers
• Centrally managed
• Single GPO typically affects many users and computers
• One part stored in Active Directory database • Called group policy container (GPC)
• Other stored in SYSVOL share• Referred to as group policy template (GPT)
![Page 10: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/10.jpg)
Guide to MCSE 70-294, Enhanced 10
Group Policy Storage (continued)
• GPT subfolders:• Adm
• USER
• USER\applications
• MACHINE
• MACHINE\applications
![Page 11: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/11.jpg)
Guide to MCSE 70-294, Enhanced 11
Creating a Group Policy Object
• Tools for creating GPOs:• Group Policy standalone Microsoft Management
Console (MMC) snap-in
• Group Policy extension in Active Directory Users and Computers
![Page 12: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/12.jpg)
Guide to MCSE 70-294, Enhanced 12
Activity 11-1: Creating a Group Policy Object Using the
MMC
• Objective: Use the Group Policy Object Editor MMC snap-in to create GPOs
• Follow directions to create GPOs
![Page 13: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/13.jpg)
Guide to MCSE 70-294, Enhanced 13
Group Policy Processing
• GPOs linked to sites, domains, and organizational units using GPO links• Applies to user and computer objects that exist in
container to which they are linked
• Can be linked with multiple organizational units, sites, or even domains
• Only stored on domain controllers in domain where created
![Page 14: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/14.jpg)
Guide to MCSE 70-294, Enhanced 14
Group Policy Priority
• Processing order:• First policy to be applied is the local computer policy
• Any GPOs linked to site are applied
• GPOs linked to domain are applied
• GPOs linked to organizational units are applied
![Page 15: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/15.jpg)
Guide to MCSE 70-294, Enhanced 15
Group Policy Priority (continued)
• Process is followed twice• Once for Computer Configuration
• When computer starts up
• Once for User Configuration • When user logs on
![Page 16: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/16.jpg)
Guide to MCSE 70-294, Enhanced 16
Default GPO Processing Order
![Page 17: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/17.jpg)
Guide to MCSE 70-294, Enhanced 17
Dealing with Conflict
• Options for policy settings• Enabled
• Disabled
• Not Configured
• Policy settings from multiple GPOs can be combined• As long as they do not conflict
• In case of conflict:• GPO to be applied last wins
![Page 18: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/18.jpg)
Guide to MCSE 70-294, Enhanced 18
Modifying Group Policy Priority
• Modify priority by configuring settings:• No Override
• Block Policy Inheritance
• Loopback Processing Mode
![Page 19: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/19.jpg)
Guide to MCSE 70-294, Enhanced 19
Controlling Group Policy Application with Permissions
• GPOs cannot be linked to groups• Application of Group Policy can be controlled
through permissions
![Page 20: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/20.jpg)
Guide to MCSE 70-294, Enhanced 20
Controlling Group Policy Application with Permissions
(continued)
• Standard permissions available to GPO:• Full Control
• Read
• Write
• Create All Child Objects
• Delete All Child Objects
• Apply Group Policy
![Page 21: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/21.jpg)
Guide to MCSE 70-294, Enhanced 21
Activity 11-5: Filtering Group Policy Objects Using Security
Permissions
• Objective: Use security permissions to filter and control the application of policy settings
• Follow instructions to stop settings in Marketing Policy GPO from applying to Administrators group
![Page 22: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/22.jpg)
Guide to MCSE 70-294, Enhanced 22
Windows Management Instrumentation Filters
• Used to restrict application of GPOs• Control GPO application based on computer
configuration, such as:• Hardware configuration
• File existence or attributes
• Applications being installed
• Amount of free hard drive space
• Written in WMI Query Language (WQL)• Does not apply to Windows 2000
![Page 23: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/23.jpg)
Guide to MCSE 70-294, Enhanced 23
Slow Link Detection
• When working over slow link• May be undesirable to apply parts of Group Policy
• Client pings domain controller several times• To determine link speed
• 500 Kbps or less is considered slow
![Page 24: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/24.jpg)
Guide to MCSE 70-294, Enhanced 24
Default Slow Link Behavior
![Page 25: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/25.jpg)
Guide to MCSE 70-294, Enhanced 25
Desktop Management with Group Policy
• Desktop management • One of primary goals that can be accomplished with
Group Policy
![Page 26: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/26.jpg)
Guide to MCSE 70-294, Enhanced 26
Restricting Windows
• Can protect users from their own mistakes• Remove access to features such as:
• Configuring proxy settings
• Setting desktop wallpaper
![Page 27: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/27.jpg)
Guide to MCSE 70-294, Enhanced 27
Folder Redirection
• Allows administrator change location of default Windows folders
• Locate on server:• Allows users to access information from any computer
on network
![Page 28: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/28.jpg)
Guide to MCSE 70-294, Enhanced 28
Folder Redirection (continued)
• Folders that can be redirected are:• Application data
• Desktop
• My Documents
• Start menu
![Page 29: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/29.jpg)
Guide to MCSE 70-294, Enhanced 29
Scripts• GPOs can contain scripts for:
• Logon
• Logoff
• Startup
• Shutdown
• Can be written in languages such as • VBScript (.vbs)
• JScript (.js)
• Must store scripts in location accessible to users running them
![Page 30: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/30.jpg)
Guide to MCSE 70-294, Enhanced 30
Security Management with Group Policy
• Security policy• Collection of security-related settings
• Located in all GPOs
• Majority of security policy settings apply to computers
• Found in Computer Configuration section
![Page 31: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/31.jpg)
Guide to MCSE 70-294, Enhanced 31
Account Policies
• Includes configuration settings that may be the initial step to securing computer network
• Must be configured in GPO linked to domain• Subcategories:
• Password Policy
• Account Lockout Policy
• Kerberos Policy
![Page 32: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/32.jpg)
Guide to MCSE 70-294, Enhanced 32
Local Policies
• Wide variety of settings • Very flexible• Categories:
• Audit policy
• User rights assignment
• Security options
![Page 33: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/33.jpg)
Guide to MCSE 70-294, Enhanced 33
Restricted Groups
• Define users that are allowed membership to specific groups
• When group policy applied:• Any member of restricted group not listed in restricted
group’s member list removed
• Prevents administrators from accidentally adding users to sensitive groups
![Page 34: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/34.jpg)
Guide to MCSE 70-294, Enhanced 34
System Services
• Define which services are started, stopped, or disabled on computers
• Can also configure security for services• Effective way to disable unnecessary services on:
• Client computers
• Servers
![Page 35: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/35.jpg)
Guide to MCSE 70-294, Enhanced 35
Registry Settings
• Define security permissions for registry entries• Applied to all computers affected by GPO
![Page 36: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/36.jpg)
Guide to MCSE 70-294, Enhanced 36
File System
• Defines NTFS permissions applied to local hard drives of computers affected by GPO
• Enhance security by removing permissions to files and folders
![Page 37: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/37.jpg)
Guide to MCSE 70-294, Enhanced 37
Wireless Network Policies
• Define settings for wireless network connectivity• Configure which wireless networks’ workstations
can connect to and automatically configure Wireless Encryption Protocol (WEP)
![Page 38: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/38.jpg)
Guide to MCSE 70-294, Enhanced 38
Public Key Policies
• Define configuration settings relating to use of different public key-based applications such as:• Encrypting file system (EFS)
• Automatic certificate enrolment settings
• Certificate Authority (CA) trusts
• Autoenrollment • New feature
• Allows computers and users to request version 2 certificate templates automatically
![Page 39: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/39.jpg)
Guide to MCSE 70-294, Enhanced 39
Software Restriction Policies
• Define security settings related to what programs are allowed to run on system
• Individual rules can be based on:• File’s hash
• Digital certificate used to sign executable
• File’s path
• Internet zone
![Page 40: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/40.jpg)
Guide to MCSE 70-294, Enhanced 40
IP Security Policies
• Define IPSec settings• Can enable IPSec for entire network with little
effort
![Page 41: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/41.jpg)
Guide to MCSE 70-294, Enhanced 41
Security Templates• Used to:
• Define, edit, and save baseline security settings
• Applied to computers with common security requirements
• Meet organizational security standards
• Help ensure • Consistent setting can be applied to multiple machines
• Easily maintained
• Stored in .inf files
![Page 42: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/42.jpg)
Guide to MCSE 70-294, Enhanced 42
Security Templates (continued)• Setup Security.inf.
• Default template
• Provides single file in which all original computer security settings are stored
• Incremental templates• Only apply to machines already running default
security settings
• Use Security Templates snap-in to create custom templates
![Page 43: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/43.jpg)
Guide to MCSE 70-294, Enhanced 43
Analyzing Security
• Security Configuration and Analysis utility• Compare current system settings to previously
configured security template• Identifies
• Changes to original security configurations
• Possible security weaknesses
![Page 44: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/44.jpg)
Guide to MCSE 70-294, Enhanced 44
Using the Group Policy Management Console
• Available as free download for Windows Server 2003 customers
• Brings together tools and options accessible from number of different tools
• Adds new functionality• Highly recommended
• Especially in large deployments
![Page 45: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/45.jpg)
Guide to MCSE 70-294, Enhanced 45
Troubleshooting Group Policy
• Most important thing is interaction of:• Links to containers
• Priority ordering by administrators
• No Override
• Block Inheritance
• ACL permissions
• Loopback Processing Mode
• WMI filters
![Page 46: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/46.jpg)
Guide to MCSE 70-294, Enhanced 46
Troubleshooting Tools
• Resultant Set of Policy (RSoP)• Gpresult• Gpupdate• Dcgpofix
![Page 47: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/47.jpg)
Guide to MCSE 70-294, Enhanced 47
Summary• Group Policy applies settings to users and
computers in:• Site
• Domain
• Organizational unit
• Order of application for GPOs is:• Local
• Site
• Domain
• Organizational unit
![Page 48: 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f425503460f94c6213b/html5/thumbnails/48.jpg)
Guide to MCSE 70-294, Enhanced 48
Summary (continued)
• User or computer must have Read and Apply Group Policy permissions on a GPO in order for the policy to apply
• To affect domain accounts, account policies must be set at the domain level
• Security management using Group Policy is accomplished with security templates